Cryptocurrency Mining Malware Infected Over 526,000 Computers

A new cryptocurrency mining botnet called Smominru has infected more than 526,000 computers using a leaked National Security Agency (NSA) exploit, according to cybersecurity firm Proofpoint.

A botnet is a collection of Internet-connected devices, which may include computers, servers, mobile devices and Internet of Things (IoT) devices, that are infected and controlled by a common type of malware. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allow the attacker access to the device and its connection.

Proofpoint researchers said the Smominru botnet, also known as Ismo, was using the NSA exploit “EternalBlue” to spread Monero mining malware. The EternalBlue exploit was leaked by the so-called Shadow Brokers hackers, who were reportedly also behind the 2017 widespread WannaCry ransomware threat. The researchers added that cybercriminals are targeting a vulnerable version of Windows, also using a leaked NSA protocol exploit called EsteemAudit.

According to the researchers, the botnet has been infecting computers since May 2017, mining about 24 Monero coins per day. To date, the botnet has reportedly managed to mine about 8,900 Monero. The highest number of Smominru-infected PCs has been found in Russia, India, and Taiwan.

Patrick Wheeler, director of threat intelligence at Proofpoint, said the Smominru campaign has been surprisingly large and resilient to efforts to disrupt it.

“Mining bots at this point are not uncommon, but what makes Smominru unique is the size, profitability and its resilience,” Wheeler said. The botnet has withstood sinkhole mitigation efforts to analyze and disrupt operations.”

Wheeler added that with ransomware or banking trojans, it’s often hard to get a sense of profitability. But with cryptocurrency it’s easy to get a sense of how effective they are.

“The threat landscape is changing,” Wheeler said. “Cybercriminals have gravitated away from ransomware and banking trojans and are now focused on cryptocurrency, as values have risen sharply over the past 18 months.”

“As bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically,” the researchers said. “While Monero can no longer be mined effectively on desktop computers, a distributed botnet like Smominru can prove quite lucrative for its operators.”

Earlier this week, security firm Trend Micro reported that Google’s DoubleClick was used to distribute cryptocurrency mining malware to a number of users in Asia and Europe.

In May 2017, the WannaCry ransomware shut down hospitals, telecom providers, and many businesses worldwide, infecting an estimated 200,000 computers in more than 150 countries, encrypting files and then charging victims $300-$600 in bitcoin to decrypt the files. WannaCry made $140,000 in bitcoins from the victims who paid for the decryption keys

In November 2017, a major ransomware campaign, called Scarab, used a botnet known as Necurs, one of the biggest computer botnets in the world, to spread out more than 12.5 million emails containing the ransomware.